On Wed, Apr 28, 2010 at 3:50 PM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > Vivek Varghese Cherian wrote: >> >> Hi, >> >> My client has a requirement where he would like to ensure that a user >> authorized >> to squid should be able to access the internet from only one I.P Address. >> >> Her requirement is that even if one of her users shares her password >> with the second >> user, the second should not be able to login except from the first >> user's machine, not >> even on the second user's machine or any other machine in the network >> for that matter. >> >> The client has around 1000 users in her organization who frequently >> share their user names and password with other users. >> >> Any pointers/urls in this direction would be most welcome. If this >> question has been answered previously in this mailing list, a pointer >> in that direction would suffice. >> >> Thanks in advance. >> >> Regards, > > I see you are faced with the major job dealing with a seriously dangerous > habit amongst your users. > > The only real solution is education. The users must be taught not to share > access privileges. This is going to take some work and probably a fair > amount of time as well. > > You will need a plan of attack on the problem and support from your > organizations management to make this fully work. The management will need > to make policies prohibiting credentials being shared and outline some > consequences if they are. > > A) The easy initial catch is to use a max_user_ip type ACL which detects > multiple-IPs using the same credentials. > A deny_info splash page for that ACL can be used to inform the users that > their offence has been caught and re-inforce the organization policies. > This can be fooled in circumstances where DHCP dynamically assigns IPs, or > NAT hides whole groups of users. > > > B) As Jeff pointed out the arp type ACL can go beyond IP address and detect > individual machines network cards. > This can fail if the network has any routers between the users and Squid. > And may require organization-wide proxy-ARP protocol to be implemented. > > C) The other way is to create a database matching user logins to the IP > address the user is assigned. Create a external_acl_type script to take > %LOGIN %SRC parameters and lookup the database for a matching pair. > Returning OK/ERR about whether the request is allowed or not. > This can be fooled by NAT, or users setting their IP manually or relaying > requests through a box which does either for them. > > Amos > -- > Please be using > Current Stable Squid 2.7.STABLE9 or 3.1.1 > Thanks Jeff, Sagar and Amos for your invaluable feed backs. -- Vivek Varghese Cherian Senior Systems Administrator RHCT ( # 605010995430406) Website : http://vivekvc.freeshell.org Blog: http://vivekvc.wordpress.com Linkedin: http://www.linkedin.com/in/vivekvc IRC: Vivek and ViveKVC on both Freenode and OFTC GPG Key fingerprint = 1EB1 0647 9574 18A3 40B5 8D74 F842 576B 3C2B 8538
